Dating site and hacker in online spat over security breach The founder of Canadian dating website PlentyOfFish.com has become embroiled in an online spat with a white-hat hacker who found security bugs on the site and a reporter who began asking questions about the flaw. Markus Frind, the founder and chief executive of Plenty of Fish, claims he was approached by someone who exported …
"Krebs reckons the site got into problems because it stored user login credentials in plain text, a point PlentyofFish disputes."
How can they dispute this? They email EVERY user their password in PLAIN TEXT on a weekly basis. Unsolicited. Turning that weekly email off is a chore.
Every week. Helpfully reminding you of your password. Not "some of it". Not "a hint". Not a masked version. All of it.
This post has been deleted by its author
Virginmedia sent me an unsolicited letter recently with my "new" password on it.
Except it wasn't a new password, it was the password I'd been using for several (!) months (since we all change our ISP password every few months, don't we!)
So if they can print it on a letter, I'm betting they can view it on screen too.
It's changed now though!
Once you log into POF there is still no security.
You think you are dealing with a MATURE and SECURE website for adults to be dating other adults.
But when you join POF you are not treated like an ADULT.
All your emails are read when sent to your potential partner.
Kinda like sending your love letter through a prison where the warden reads all your mail.
Of course they justify this saying its a private site and they can do as they please.
Make note if no woman ever contacts you it is because another male at POF has stopped your send and deleted your email.
So POF is really a fake site made for closet basement boys who like to read other mens emaisl to women.
Yup, they send lots of plaintext passwords around the internet. The new reset password hit my inbox in plaintext earlier this week. It isn't like it is hard for someone with access to configure a router on a main trunk to store copies of any email containing the word "password" that hops through it! You can even machine-sort them by source address and then apply a simple filter to extract username and password into a table, ready for sale to the highest bidder.
the details of the 'hack' don't make sense.
'Krebs set up a free account on the site, details of which Russo was able to recite back to him'
-umm which details exactly? Presumably not the details which were available to anyone browsing the site looking for information put up expressly for that purpose?
So are we talking banking details? Presumably not, as this was a free account. Email? Home address? Or was it possible to pwn the acct - and if it was, why not say so?
I guess I could follow up the links and find out, but isn't that kinda what the reporter of this story should have done?
Just got an email with the new password I had had to reset. In plain text, again :-(
Not to mention that the reset password procedure was epic in how badly it was presented:
Standard old password, new password, new password confirm form. Except that he filled in the old password field with the, still current, user name. But when I typed in my new password twice, I was told the old password didn't match (it had been pre-filled with the user name, but I was logged in already).
Several doh moments later, my new password was ready... for transmission in clear via email.
But, eh, the site's free and there is nothing really private on my profile, besides me admitting that I like to wear pink tutus, enjoy cross-dressing and have fantasies about a Mother Theresa and Megan Fox threesome ;-)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
